Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 33f4cdc87f17fb37…

MALICIOUS

Office (OLE) / .XLS

234.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-10
MD5: e0946a78fc26ca171545392a44be7889 SHA-1: 072868e101afb93de47fc2b38832f24e8011a1c6 SHA-256: 33f4cdc87f17fb37ad8b3dd956e90a807dda3c65537bad975de6c0ef287282c1
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The VBA macro uses `CreateObject` to interact with the file system and execute a JavaScript file named 'xeUMa.js'. The script is renamed from '.txt' to '.js' before execution. The macro also attempts to paste content into the user's profile directory, likely to stage the payload. This indicates a downloader or dropper functionality.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c608b24f8e4c4b7e1f98f9a12dd198ca2937c81603cf08e794c4ce065e8a9d69		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1099 bytes
ole10native_00.bin
1368427c48d6be26c03b708dfc30c1d13d401574cf2b9410e9fff4463b2538ad		 ole-package OLE Ole10Native stream: MBD08F8B410/Ole10Native 1611 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.